Open jcheron opened 1 year ago
Given the following role hierarchy defined in the Spring security configuration:
@Bean fun roleHierarchy(): RoleHierarchy { val roleHierarchy = RoleHierarchyImpl() val hierarchy = "ROLE_ADMIN > ROLE_USER" roleHierarchy.setHierarchy(hierarchy) return roleHierarchy }
Given the following authorisations:
http.requestMatchers("/bar/**").hasAuthority("USER")
A user with the ROLE_ADMIN role should be able to access the /bar/** urls
ROLE_ADMIN
/bar/**
403 Fordidden
The following changes to the configuration have no effect
@Bean fun webSecurityExpressionHandler(): DefaultWebSecurityExpressionHandler { val expressionHandler = DefaultWebSecurityExpressionHandler() expressionHandler.setRoleHierarchy(roleHierarchy()) return expressionHandler } @Bean fun expressionHandler(): DefaultMethodSecurityExpressionHandler { val expressionHandler = DefaultMethodSecurityExpressionHandler() expressionHandler.setRoleHierarchy(roleHierarchy()) return expressionHandler } @Bean fun grantedAuthoritiesMapper(roleHierarchy: RoleHierarchy): GrantedAuthoritiesMapper { return RoleHierarchyAuthoritiesMapper(roleHierarchy) }
17 Corretto
1.7.22
3.0.3
6.0.2
see https://github.com/spring-projects/spring-security/issues/12473 see https://github.com/spring-projects/spring-security/pull/12505 see https://github.com/vrudas/spring-framework-examples/issues/101
Context
Given the following role hierarchy defined in the Spring security configuration:
Given the following authorisations:
Expected behaviour
A user with the
ROLE_ADMINrole should be able to access the/bar/**urlsCurrent result
Changes
The following changes to the configuration have no effect
Versions
17 Corretto1.7.223.0.36.0.2see https://github.com/spring-projects/spring-security/issues/12473 see https://github.com/spring-projects/spring-security/pull/12505 see https://github.com/vrudas/spring-framework-examples/issues/101